tag:blogger.com,1999:blog-8539880144347728238.post4080333014289304382..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: Direct Shellcode Execution via MS Office Macros with MetasploitUnknownnoreply@blogger.comBlogger14125tag:blogger.com,1999:blog-8539880144347728238.post-37455027416726400212013-12-25T16:09:19.165-05:002013-12-25T16:09:19.165-05:00Works well , the only problem is , it gets detecte...Works well , the only problem is , it gets detected by AVS .Does anyone know any AV evasion methods for this script ?Anonymoushttps://www.blogger.com/profile/05978526825677479415noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-74607734622966756182013-12-16T23:34:00.429-05:002013-12-16T23:34:00.429-05:00Hey Folks - just wanted to share the comment scrip...Hey Folks - just wanted to share the comment scriptjunkie made with regard to this crashing on Win7 running Office 2007 (found here: http://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/):<br /><br />Maybe it’s trying to run 32 bit shellcode which crashes in a 64 bit process? Generate a 64 bit calc with windows/x64/exec, and see if that works. You should also be able to set up a x64 and x86 handler, and put both payloads into one doc with something like this around the shellcode:<br />#if Win64 then<br />‘ Code is running in 64-bit version of Microsoft Office<br />#else<br />‘ Code is running in 32-bit version of Microsoft Office<br />#end if<br />then it should work in both versions. But I don’t have a 64 bit office to test. :-/ Otherwise it’s just break out the windbg and see what happens.<br /><br />I haven't got it working yet, but thought I'd share and see if anyone else might have figured this one out.jdiggidynoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-67166236485721921532013-07-23T00:29:20.330-04:002013-07-23T00:29:20.330-04:00are the architectures the same?are the architectures the same?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-51295886807858456192013-07-16T07:43:11.859-04:002013-07-16T07:43:11.859-04:00I tried this and it worked on my system but when t...I tried this and it worked on my system but when try testing on another system it doesn't work. I mean i create .doc with VBA on PC1 and test on PC2 it doesn't work, it only work on the system i create it on.<br /><br />Anyone have an idea what might be wrong?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-36337440314582253502012-05-30T17:00:10.564-04:002012-05-30T17:00:10.564-04:00works fine for me win7 64 bit
i have seen it cras...works fine for me win7 64 bit<br /><br />i have seen it crash when the handler cant be reached though.CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-73685211437130541962012-05-30T16:04:19.234-04:002012-05-30T16:04:19.234-04:00I've noticed that this crashes Word 2010. Any ...I've noticed that this crashes Word 2010. Any idea why (Win7 64-bit)? <br /><br />Seems to work fine on Word 2007 (WinXP). <br /><br />Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-49003488705282105802012-03-14T01:02:01.359-04:002012-03-14T01:02:01.359-04:00Got it ! Wow...and u r right, it works with the xl...Got it ! Wow...and u r right, it works with the xls provided on the blog.<br />Tks so much bro.<br /><br />Rgds.<br /><br />P.S. <br /><br />Fails with Office 2007 because VB is not installed by default on it.Anonimenoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-38601312745066702372012-03-08T17:06:05.549-05:002012-03-08T17:06:05.549-05:00the same way as in the post
just do a:
msf > ...the same way as in the post<br /><br />just do a:<br /><br />msf > use payload/windows/meterpreter/reverse_https<br /><br />fill in options<br /><br />generate -t vbaCGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-16501359748218407662012-02-28T10:27:51.459-05:002012-02-28T10:27:51.459-05:00CG, could you share how did you reverse https with...CG, could you share how did you reverse https with the xls provided from the blog?<br /><br />It would be really interesting to know.<br />Would appreciate it.<br />Rgds.Anonimenoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-8746729679369374192012-02-07T10:43:54.742-05:002012-02-07T10:43:54.742-05:00Very cool. I used to use this method using shellc...Very cool. I used to use this method using shellcode2vbscript.py<br /><a href="http://www.coresec.org/2011/04/26/create-malicious-excel-files-using-metasploit-and-shellcode2vbscript/" rel="nofollow">from the coresec blog</a><br /><br />but now I have a new method!pipefishhttps://www.blogger.com/profile/10157331718355267394noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-84422296776736911822012-02-07T10:17:58.151-05:002012-02-07T10:17:58.151-05:00Thanks! it worked using that method in Word 2010 ...Thanks! it worked using that method in Word 2010 (not using msfvenom)Stewart Fnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-89334323373066381302012-02-07T09:40:39.814-05:002012-02-07T09:40:39.814-05:00i used his template on the blog post with EXCEL 20...i used his template on the blog post with EXCEL 2010 but in meterpreter https and it worked with no problems (win7 64bit).<br /><br />if i have some time i'll try with wordCGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-84461073851175325612012-02-07T09:34:49.982-05:002012-02-07T09:34:49.982-05:00Great post! Been looking to do this for a while. ...Great post! Been looking to do this for a while. When I tried to something beside open up calc (Like generating a meterpreter payload using msfvenom) I get very similar vba code but it just crashes Word 2010.<br /><br />Any suggestions on how to get a useful payload to work this way?Stewart Fnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-24756773339669331572012-02-03T21:57:58.815-05:002012-02-03T21:57:58.815-05:00Used this on a test yestaurday... worked like a ch...Used this on a test yestaurday... worked like a charm :P <br /><br />One thing to note though, def migrate immediately via an RC script or something.. Shell dies with the document so have enough info in the document to keep the person busy for a minute.. <br />Also here is another method using shellcode exec, just make sure to create a version of shellcode exec that bypasses AV when downloaded. <br />http://huptwo34.blogspot.com/2012/01/winning-with-vba-macros.htmlFicti0nhttps://www.blogger.com/profile/01503121397289908637noreply@blogger.com